... easily solved by replacing the JRE's policy files (local_policy.jar and US_export_policy.jar) with an unlimited version of them (ah, policy, policy...). If you are looking for this, I used Websphere ones (you will need an IBM.com account).

I was far from having a working solution (see this thread), but apart from the fact that I would have to provide strong reasons for this change to the architecture and production teams, this led me to another challenge : I would have to implement HTTPS access with client authentication !

A SSL socket factory implemented for you

It may sound awkward in 2012, but if you wish the HTTPS server to identify your Java client (versus : only the server is identified), you will have to write your own implementation of a socket factory.

The Java Runtime Environment doesn't provide ready-to-use classes to do this. Yes : there is javax.net.ssl.SSLSocketFactory.getDefault() but it requires to set some system (therefore global) properties to point to the certificates files !!!

The HttpClient SSL Guide provides sample code to implement mutual client and server authentication ; unfortunately the latest stable release of it (contrib 3.1) is bound to Sun's API with imports such as com.sun.net.ssl.KeyManagerFactory. Needless to say that this will not work on an IBM Websphere JRE...

Note : There was some change in the latest trunk revisions but it looks like they are made for HttpClient 4.x...

Well, we finally come to the purpose of this article : a cleaned-up version of a SSLProtocolSocketFactory for HttpClient 3.1 that you can use with any JRE.

Just get the 2 classes from the next chapter and use as in the following code.Parameters are self-explanatory : URL, password and type of both the keystore and the truststore (see the Javadoc)...

Debugging

Although IBM now follows the general JSSE rules, you should notice that the previous "IBMJSSE" JSSE implementation (not "IBMJSSE2") uses javax.net.debug=true instead of javax.net.debug=all to display all traces (it took me some time to figure it out).